Skip to main content

Check Your Template, And Look For Unfamiliar JavaScript Code, Following Odd Blog Behaviour

Recently, we've been seeing some odd problem reports in Blogger Help Forum: Something Is Broken, suggesting deviously hijacked blogs.
My blog is requesting me to login, using a user name and password, when I view it.
Given the URL of the window requesting the login, it's a simple matter for us to use the right forensic Internet software, and to locate a relevant snippet of code, frequently installed as part of the blog template.

Sometimes, when we reply to the blog owner with advice to remove a bit of dodgy code, we get a response suggesting disbelief. Our advice
Use the Template Editor, and remove the highlighted code snippet.
may receive a confused or skeptical response.
Where did that bit of code come from? I never installed that!
How did the code in question get installed? Discussion of one possible scenario may require thinking outside the box. Not every unrecognised blog change is being caused by memory loss by the blog owner, after an intentional accessory install or template tweak.

Looking at the subject / theme of some blogs involved in recent problem reports, we're seeing a beginning of a trend, which may indicate a new - and very subtle - blog hijacking technique. We know that Blogger blogs are subjected to brute force password guessing attacks, and we know that Blogger / Google has to consider the possibility that a brute force attack detection is made after the attack was successful.

Current blog security, and defense against blog hijacks, involves detection of hijack attempts, by Google Security. It's possible that some blogs, with some owning Blogger accounts and passwords, are more vulnerable to sophisticated password guess hacking.

When you login to Blogger or Google, you hopefully know the right account name and password, and are generally able to get logged in - after maybe one or two mistakes. You learn, soon enough, that if you have to guess your account name or current password - and you require more than a couple tries - you may have to solve yet another CAPTCHA, or request account unlock, to continue.

The ever unpopular CAPTCHA / locked account comes from Google, detecting a possible brute force attack in progress, and protecting your account and your blogs. A Blogger blog, with its content providing enough clues, combined with a simple account password that is easily guessed, may allow an experienced hacker to login to your account in one or two tries, without being detected by Google attack monitors.

It's alternately possible that some attacks are being conducted by very patient hackers, who are able to use days, and / or thousands of different computers, to conduct a throttled brute force password attack. Again, just attack without providing a detectable pattern.

This may help to explain the mysterious spam blog setups, of last year.

A hacker, able to login to a Blogger account without being detected, could install small changes in a blog template without ever being discovered. The blog owner would never discover subtle template changes, made by an easily satisfied hacker.

Finally, install latent code that does not activate immediately, as we observed during Winter 2009 / 2010, so no blogs show symptoms until the hack is installed on thousands of blogs. If one or two blog owners discover the odd code in their blogs, who would ever suspect their blog being part of a massive cloud of victims?

If you report odd behaviour by your blog, you write to Blogger Help requesting advice, and you are advised to remove a bit of dodgy code from the template - and you do not remember having installed the noted dodgy code - you may want to review your Blogger / Google password, and make the password harder to guess. Better still, start using 2-step verification for logging in to your Blogger / Google account.

>> Top

Comments

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

Embedded Comments And Main Page View

The option to display comments, embedded below the post, was made a blog option relatively recently. This was a long requested feature - and many bloggers added it to their blogs, as soon as the option was presented to us. Some blog owners like this feature so much, that they request it to be visible when the blog is opened, in main page view. I would like all comments, and the comment form, to be shown underneath the relevant post, automatically, for everyone to read without clicking on the number of comments link. And this is not how embedded comments work.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".